Hackers open new front in payment card data thefts

PCI Weaknesses?

The Hannaford breach, at least, points to possible holes in the PCI defense wall. The grocer has said that it was breached even though it had been certified as being compliant with the security standard last year and then again on February 27. That was the day Hannaford was first made aware of suspicious activity involving the credit cards of its customers.

Bob Russo, general manager of the PCI Security Standards Council, said last week that there isn't enough information available about the Hannaford and Okemo breaches to know for sure whether the PCI rules need to be tweaked. Russo vowed that if additional controls are necessary, changes will be made promptly by the council, an independent group that the credit card companies set up in 2006 to manage the standard.

Under existing rules, a company doesn't need to encrypt payment data while it's in transit within its own internal network. But Russo contended that if a company implemented all of the existing PCI controls, it wouldn't be possible for attackers to get at the information while it's being transmitted internally.

"Just because [Hannaford] raised their hand and said they were compliant doesn't necessarily mean they were compliant," Russo said. He added that all of the known data breaches involving companies covered by the PCI rules have happened because the merchants failed to fully comply with the security requirements.

Encrypting payment card data before it even reaches point-of-sale systems is one way to minimize the risk of data-in-transit thefts, Litan said. But tools that could enable companies to do that are just emerging from vendors such as VeriFone, she added. And at this early stage, installing the tools may require a heavy investment of time and effort on the part of users.

A more straightforward approach would be to better monitor corporate networks for the telltale signs of system intrusions, said Ken Pappas, a security strategist at Top Layer Networks, which sells intrusion-prevention systems. For example, looking at where data traffic is headed could give security managers a clear indication of whether transmissions are legitimate.

The techniques used to pull off data-in-transit heists really aren't all that new. Typically, perpetrators first gain access to a targeted network by taking advantage of a vulnerability that has yet to be detected or patched. Once the attackers get a foothold, they can deploy malware that can sniff the network for traffic they're interested in, such as credit card data.

The malware can also be programmed to queue the stolen data and send it in batches to an outside destination, as was the case with the Hannaford intrusion.

Eddie Schwartz, chief security officer at NetWitness, a vendor of network monitoring tools, said that over the past two years, overseas "carder gangs" that buy and sell stolen payment card numbers have been using data-sniffing tools in an effort to intercept information while it's being transmitted across networks.

"People are finally waking up and focusing on it," Schwartz said. He attributed the newfound interest to the attention generated by the breach at Hannaford, which has replaced all of its store servers as part of an attempt to rid its network of the malware installed there.